Insecure Infrastructure & the Global Reliance on Outdated Systems

A lot of technology which the modern world has come to ignore or take for granted was developed very early in the age of computing and hasn’t changed in the decades since. For example, most financial institutions in the United States still use 1950’s-vintage COBOL code with roughly 75% of a single day’s business transactions executed via the language. You can still buy 5.250” and 3.500” floppy disks off Amazon for an insanely high price per megabyte, simply because there still exists specialized machinery that can only read from a floppy. Likewise, an obscure and low-level architecture born from the 1970s still drives a truly massive amount of physical systems.

Known as SCADA, or Supervisory Control and Data Acquisition, it exists largely unseen throughout industry and infrastructure. To the public, a SCADA system might only betray its presence via a small, unassuming antenna connected to a patchwork of grey metal boxes. 

Nothing to see here...

However, the scope of what is connected by SCADA includes air, railway, and automotive traffic control; water treatment; energy generation, transmission, and distribution; even automated manufacturing systems rely on it.

Historically, SCADA has gotten away with relying on “security of obscurity” – no one really knew about it, and for those that did, to actually exploit SCADA meant an understanding of a number of specific protocols. In recent years, however, this reliance has started to become a glaring vulnerability. Because of how specialized these industrial protocols are, they are not yet monitored by security systems. Many of the human-machine interfaces (HMIs) that utilize SCADA are physically insecure and theoretically can be accessed by anyone. On top of it, if there is any security present at all in the system, more often than not it is no more than the factory default login, which can be readily found in plain text lists.  See the list for yourself here.

So what are the implications of this? A Trend Micro report demonstrated how simple it was to shut down water flow at an industrial water heating center; additionally, they were able to shut off and reset oil rigs (which were easily geolocated using Google Maps); and they were even able to infiltrate a power plant, with the controls readily available to stop power supply. All these vulnerable sites were left wide open to the Internet.

In a different article, a SCADA pen-test was conducted on the operational technology network of an unnamed major airport. With no effort whatsoever, the test yielded something straight out of Die Hard 2: control over the jet bridge, runway lights – ultimately reaching total facilities control to the point of shutting down the airport.

Even railway systems are threatened, with computer based traffic control and switching systems readily attacked without needing much skill. Like the situation with the airport, it sounds like something out of Hollywood – per the linked article, it’s possible for attackers to be able to manipulate signaling systems in order to direct traffic onto blocked sections of track or even to engage a rail switch while a train passes over it (causing derailment). Although a bitter consolation, it should be noted that for an attacker to cause damage beyond simple mischief in the way outlined above does require ample skills. 

Or not, if your victims still run XP.

- - - - - -

Questions:

1) The last time the United States had a massive regional blackout (coincidentally, caused by computer issues) was in 2003.  Imagine that happening today.  What do you think the consequences would be?  

2) If/when smart grids eventually overhaul these legacy systems, do you think they will cause more problems than they solve?